Archive for the ‘Uncertainty’ category

RISKVIEWS believes that this may be the best top 10 list of posts in the history of this blog. Thanks to our readers whose clicks resulted in their selection.

Instructions for a 17 Step ORSA Process– Own Risk and Solvency Assessment is here for Canadian insurers, coming in 2015 for US and required in Europe for 2016. At least 10 other countries have also adopted ORSA and are moving towards full implementation. This post leads you to 17 other posts that give a detailed view of the various parts to a full ORSA process and report.

What kind of Stress Test? – Risk managers need to do a better job communicating what they are doing. Much communications about risk models and stress tests is fairly mechanical and technical. This post suggests some plain English terminology to describe the stress tests to non-technical audiences such as boards and top management.

ORSA ==> AC – ST > RCS– You will notice a recurring theme in 2014 – ORSA. That topic has taken up much of RISKVIEWS time in 2014 and will likely take up even more in 2015 and after as more and more companies undertake their first ORSA process and report. This post is a simple explanation of the question that ORSA is trying to answer that RISKVIEWS has used when explaining ORSA to a board of directors.

The History of Risk Management – Someone asked RISKVIEWS to do a speech on the history of ERM. This post and the associated new permanent page are the notes from writing that speech. Much more here than could fit into a 15 minute talk.

Hierarchy Principle of Risk Management– There are thousands of risks faced by an insurer that do not belong in their ERM program. That is because of the Hierarchy Principle. Many insurers who have followed someone’s urging that ALL risk need to be included in ERM belatedly find out that no one in top management wants to hear from them or to let them talk to the board. A good dose of the Hierarchy Principle will fix that, though it will take time. Bad first impressions are difficult to fix.

What CEO’s Think about Risk– A discussion of three different aspects of decision-making as practiced by top management of companies and the decision making processes that are taught to quants can make quants less effective when trying to explain their work and conclusions.

Decision Making Under Deep Uncertainty– Explores the concepts of Deep Uncertainty and Wicked Problems. Of interest if you have any risks that you find yourself unable to clearly understand or if you have any problems where all of the apparent solutions are strongly opposed by one group of stakeholders or another.

While that report focuses upon that one specific activity – Investing, and one area of deep uncertainty – Climate Change, there are some very interesting suggestions contained there that can be more broadly applied.

First, let’s look at the idea of Deep Uncertainty. They define it as:

deep uncertainty is a situation in which analysts do not know or cannot agree on (1) models that relate key forces that shape the future, (2) probability distributions of key variables and parameters in these models, and/or (3) the value of alternative outcomes.

In 1973, Horst W.J. Rittel and Melvin M. Webber, two Berkeley professors, published an article in Policy Sciences introducing the notion of “wicked” social problems. The article, “Dilemmas in a General Theory of Planning,” named 10 properties that distinguished wicked problems from hard but ordinary problems.

1. There is no definitive formulation of a wicked problem. It’s not possible to write a well-defined statement of the problem, as can be done with an ordinary problem.

2. Wicked problems have no stopping rule. You can tell when you’ve reached a solution with an ordinary problem. With a wicked problem, the search for solutions never stops.

3. Solutions to wicked problems are not true or false, but good or bad. Ordinary problems have solutions that can be objectively evaluated as right or wrong. Choosing a solution to a wicked problem is largely a matter of judgment.

4. There is no immediate and no ultimate test of a solution to a wicked problem. It’s possible to determine right away if a solution to an ordinary problem is working. But solutions to wicked problems generate unexpected consequences over time, making it difficult to measure their effectiveness.

5. Every solution to a wicked problem is a “one-shot” operation; because there is no opportunity to learn by trial and error, every attempt counts significantly. Solutions to ordinary problems can be easily tried and abandoned. With wicked problems, every implemented solution has consequences that cannot be undone.

6. Wicked problems do not have an exhaustively describable set of potential solutions, nor is there a well-described set of permissible operations that may be incorporated into the plan. Ordinary problems come with a limited set of potential solutions, by contrast.

7. Every wicked problem is essentially unique. An ordinary problem belongs to a class of similar problems that are all solved in the same way. A wicked problem is substantially without precedent; experience does not help you address it.

8. Every wicked problem can be considered to be a symptom of another problem. While an ordinary problem is self-contained, a wicked problem is entwined with other problems. However, those problems don’t have one root cause.

9. The existence of a discrepancy representing a wicked problem can be explained in numerous ways. A wicked problem involves many stakeholders, who all will have different ideas about what the problem really is and what its causes are.

10. The planner has no right to be wrong. Problem solvers dealing with a wicked issue are held liable for the consequences of any actions they take, because those actions will have such a large impact and are hard to justify.

These Wicked Problems sound very similar to Deep Uncertainty.

The World Bank report suggests that “Accepting uncertainty mandates a focus on robustness”.

A robust decision process implies the selection of a project or plan which meets its intended goals – e.g., increase access to safe water, reduce floods, upgrade slums, or many others– across a variety of plausible futures. As such, we first look at the vulnerabilities of a plan (or set of possible plans) to a field of possible variables. We then identify a set of plausible futures, incorporating sets of the variables examined, and evaluate the performance of each plan under each future. Finally, we can identify which plans are robust to the futures deemed likely or otherwise important to consider.

That sounds a lot like a risk management approach. Taking your plans and looking at how your plans work under a range of scenarios.

This is a different approach from what business managers are trained to take. And it is a clear example of the fundamental conflict between risk management thinking and the predominant thinking of company management.

What business managers are taught to do is to predict the most likely future scenario and to make plans that will maximize the results under that scenario.

And that approach makes sense when faced with a reliably predictable world. But in those situations when you are faced with Deep Uncertainty or Wicked Problems, the Robust Approach should be the preferred approach.

Risk managers need to understand that businesses mainly need to apply the Robust/risk management techniques to these Wicked Problems and Deep Uncertainty. It is a major waste of time to seek to apply the Robust Approach when the situation is not that extreme. Risk managers need to develop skills and processes to identify these situations. Risk managers need to “sell” this approach to top management. Risks need to be divided into two classes – “normal” and “Deep Uncertain/Wicked” and the Robust Approach used for planning what to do regarding the business activities subject to that risk. The Deep Uncertainty may not exist now, but the risk manager needs to have the credibility with top management when they bring their reasoning for identifying a new situation of Deep Uncertainty.

Like this:

RISKVIEWS played the board game Risk Legacy with the family yesterday. We were playing for the 8th time. This game is a version of the board game Risk where the rules are changed by the players after each time playing the game. Most often, the winner is the person who most quickly adapts to the new rules. Once the other players see how the rules can be exploited, they can adapt to defend against that particular strategy, but at the same time, the rules have changed again, presenting a new way to win.

This game provides a brilliant metaphor for the real world and the problems faced by business and risk managers in constantly having to adapt both to avoid losing and to find the path to winning. The biggest risk is that the rules keep changing. But unlike the game, where the changes are public and happen only once per game, in the real world, the changes to the rules are often hidden and can happen at any time.

Regulators are forced to follow a path very much like the Risk Legacy game of making public changes on a clear timetable, but competitors can change their prices or their products or their distribution strategy at any time. Customers can change their behaviors, sometimes drastically, most often gradually without notice. Even the weather seems to change, but we are not really sure how much.

Meanwhile, risk managers have been forced into a universe of their own design with the movement towards heavy metal complex risk models. Those models are most often based upon the premise that when it comes to risk, things will not change. That the future will be much like the past and in fact, that even inquiring about changes may be difficult and may therefore be discouraged due to limited resources.

But risk can be thought of as the tail of the cat. The exact path of the cat is unpredictable. The rules for what a cat is trying to accomplish at any point in time keep changing. Not constantly changing, but changing nonetheless without warning. So imagine trying to model the path of the cat. Now shift to the tail of the cat representing the risk. The tail has a much wider and more unpredictable path than the body of the cat.

That is not to suggest that the path of the tail (the risk) is wildly unpredictable. But keeping up with the tail requires much more than simply extrapolating the path of the cat from the recent past. It requires keeping up with the ever changing path of the cat. And the tail movement will often represent the possibilities for changes in the future path.

Some risk models and risk management programs are created with recognition of the likelihood that the rules will change, sometimes even between the time that the model assumptions are set and when the model results are presented. In those programs, the models are valued for their insights into the nature of risk, but of the risk as it was in the recent past. And with recognition that the risk that will be will be somewhat different because the rules will change.

Like this:

The magazine of the Society of Actuaries published eight short essays on a variety of ERM topics.

Making Risk Models Collaborative With our risk models, we make the contribution of managers to the risk management of the company disappear into the mist of probabilities. And then we wonder why so many managers are opposed to “letting a model run the company.”

We Must Legitimize Uncertainty In a post to the Harvard Business Review blog, “American CEO’s should Stop Complaining about Uncertainty,” Jonathan Berman points out that while African companies are able to cope with their uncertain environment, American CEOs mostly just complain. Americans must legitimize the Uncertain environment and study how mest to cope.

Finding a Safe Place New ERM and Old School goals for risk management all seek to keep the company safe.

ERM and the Hierarchy of Corporate Needs The reason that ERM is not given the degree of priority that its proponents desire is that its proponents want is that it is at best third in the hierarchy of corporate needs.

Help Wanted: Risk Tolerance It is a rare company that can create a risk appetite statement if they do not already have years of experience with the measure of risk that will be used.

Are you Sure about that? Frequently, we ignore the fact that our risk models do NOT produce infomation about our risks that are all consistently reliable. Yet we still add those numbers to gether as if they were on the exact same basis.

Ignoring is perhaps the most common approach to large but infrequent risks.

Most people think of a 1 in 100 year event as something so rare as it will never happen.

But just take a second and look at the mortality risk of a life insurer. Each insured has on average around a 1 – 2 in 1000 likelihood of death in any one year. However, life insurers do not plan for zero claims. They plan for 1 -2 in 1000 of their policies to have a death claim in any one year. No one thinks it odd that something with a 1-2 in 1000 likelihood happens hundreds of times in a year. No one goes around scoffing at the validity of the model or likelihood estimate because such a rare event has happened.

But somehow, that seemingly totally simple minded logic escapes most people when dealing with other risks. They scoff at how silly that it is that so many 1 in 100 events happen in a year. Of course, they say, such estimated of likelihood MUST be wrong.

So they go forth ignoring the risk and ignoring the attempts at estimating the expected frequency of loss. The cost of ignoring a low frequency risk is zero in most years.

And of course, any options for transferring such a risk will have both an expected frequency and an uncertainty charge built in. Which make those options much too expensive.

The big difference is that a large life insurer takes on hundreds of thousands and in the largest cases, millions of exposures to the 1-2 in 1000 risks. Of course, the law of large numbers turns these individual ultra low frequency risks into a predictable claims pattern, in many cases one with a fairly tight distribution of possible claims.

But because they are ignored, no one tries to know how many of those 1 in 100 risks that we are exposed to. But the statistics of 20 or 50 or 100 totally unrelated 1 in 100 risks is exactly the same as the life insurance math.

With 100 totally unrelated independent 1 in 100 risks, the chance of one or more turning into a loss in any one year is 63%!

And the most common reaction to the experience of a 1 in 100 event happening is to decide that the statistics are all wrong!

After Superstorm Sandy, NY Governor Cuomo told President Obama that NY “has a 100-year flood every two years now.” Cuomo had been governor for less than two full years at that point.

The point is that organizations must go against the natural human impulse to separately decide to ignore each of their “rare” risks and realize that the likelihood of experiencing one of these rare events is not so rare, what is uncertain is which one.

Like this:

Often called emerging risks. Going back to Knight’s definitions of Risk and Uncertainty, there is very little risk contained in these potential situations. Emerging risks are often pure uncertainty. Humans are good at finding patterns. Emerging risks are breaks in patterns.

What to Do about Emerging Risks…

Emerging risks are defined by AM Best as “new or evolving risks that are difficult to manage because their identification, likelihood of occurrence, potential impacts, timing of occurrence or impact, or correlation with other risks, are highly uncertain.” An example from the past is asbestos; other current examples could be problems deriving from nanotechnology, genetically modified food, climate change, etc. Lloyd’s, a major sufferer from the former emerging risk of asbestos, takes emerging risks very seriously. They think of emerging risks as “an issue that is perceived to be potentially significant but which may not be fully understood or allowed for in insurance terms and conditions, pricing, reserving or capital setting”.

What do the rating agencies expect?

AM Best says that insurers need “sound risk management practices relative to its risk profile and considering the risks inherent in the liabilities it writes, the assets it acquires and the market(s) in which it operates, and takes into consideration new and emerging risks.” In 2013, Best has added a question asking insurers to identify emerging risks to the ERM section of the SRQ. Emerging Risks Management has been one of the five major pillars of the Standard & Poor’s Insurance ERM ratings criteria since 2006.

How do you identify emerging risks?

A recent report from the World Economic Forum, The Global Risks 2012 report is based on a survey of 469 experts from industry, government, academia and civil society that examines 50 global risks. Those experts identified 8 of those 50 risks as having the most significance over the next 10 years:

Chronic fiscal imbalances

Cyber attacks

Extreme volatility in energy and agriculture prices

Food shortage crises

Major systemic financial failure

Rising greenhouse gas emissions

Severe income disparity

Water supply crises

This survey method for identifying or prioritizing risks is called the Delphi method and can be used by any insurer. Another popular method is called environmental scanning which includes simply reading and paying attention for unusual information about situations that could evolve into future major risks.

What can go wrong?

Many companies do not have any process to consider emerging risks. At those firms, managers usually dismiss many possible emerging risks as impossible. It may be the company culture to scoff at the sci fi thinking of the emerging risks process. The process Taleb describes of finding ex post explanation for emerging Black Swan risks is often the undoing of careful plans to manage emerging risk. In addition, lack of imagination causes some managers to conclude that the past worst case is the outer limit for future losses.

What can you do about emerging risks?

The objectives for emerging risks management are just the same as for other more well-known risks: to reduce the frequency and severity of future losses. The uncertain nature of emerging risks makes that much more difficult to do cost effectively. Insurers can use scenario testing to examine potential impact of emerging risks and to see what actions taken in advance of their emergence might lessen exposures to losses. This scenario testing can also help to identify what actions might lessen the impact of an unexpected loss event that comes from a very rapidly emerging risk. Finally, insurers seek to identify and track leading indicators of impending new risk emergence.

Reinsurance is one of the most effective ways to protect against emerging risks, second only to careful drafting of insurance contract terms and conditions

Many of the largest insurers and reinsurers have developed very robust practices to identify and to prepare for emerging risks. Other companies can learn from the insurers who practice emerging risk management and adapt the same processes to their emerging risks.

Normal risk control processes focus on everyday risk management, including the management of identifiable risks and/or risks where uncertainty and unpredictability are mitigated by historical data that allow insurers to estimate loss distribution with reasonable confidence. Emerging risk management processes take over for risks that do not currently exist but that might emerge at some point due to changes in the environment. Emerging risks may appear abruptly or slowly and gradually, are difficult to identify, and may for some time represent an ill formed idea more than factual circumstances. They often result from changes in the political, legal, market, or physical environment, but the link between cause and effect is fully known in advance. An example from the past is asbestos; other examples could be problems deriving from nanotechnology, genetically modified food, climate change, etc. For these risks, normal risk identification and monitoring will not work because the likelihood is usually completely unknown. Nevertheless, past experience shows that when they materialize, they have a significant impact on the insurers and therefore cannot be excluded from a solid risk management program. So insurers have implemented unique specific strategies and approaches to cope with them properly.

Identifying emerging risks

Emerging risks have not yet materialized or are not yet clearly defined and can appear abruptly or very slowly. Therefore, having some sort of early warning system in place, methodically identified either through internal or external sources, is very important. To minimize the uncertainty surrounding these risks, insurers will consistently gather all existing relevant information to amass preliminary evidence of emerging risks, which would allow the insurer to reduce or limit growth of exposure as the evidence becomes more and more certain. However, Insurers practicing this discipline will need to be aware of the cost of false alarms.

Assessing their significance

Assess the relevance (i.e. potential losses) of the emerging risks linked to a company’s commitment— which classes of business and existing policies would be affected by the materialization of the risk—and continue with the assessment of the potential financial impact, taking into account potential correlation with other risks already present in the firm. For an insurer, the degree of concentration and correlation of the risks that they have taken on from their customers are two important parameters to be considered; the risk in question could be subject to very low frequency/high intensity manifestations, but if exposure to that particular risk is limited, then the impact on the company may not be as important. On the other hand, unexpected risk correlations should not be underestimated; small individual exposures can coalesce into an extreme risk if underlying risks are highly interdependent. When developing extreme scenarios, some degree of imagination to think of unthinkable interdependencies could be beneficial.

A further practice of insurers is to sometimes work backwards from concentrations to risks. Insurers might envision risks that could apply to their concentrations and then track for signs of risk emergence in those areas. Some insurers set risk limits for insurance concentrations that are very similar to investment portfolio credit limits, with maximum concentrations in specific industries in geographic or political regions. In addition, just as investment limits might restrict an insurer’s debt or equity position as a percentage of a company’s total outstanding securities, some insurers limit the percentage of coverage they might offer in any of the sectors described above.

Define appropriate responses

Responses to emerging risks might be part of the normal risk control process, i.e., risk mitigation or transfer, either through reinsurance (or retrocession) in case of insurance risks, through the financial markets for financial risks, or through general limit reduction or hedging. When these options are not available or the insurer decides not to use them, it must be prepared to shoulder significant losses, which can strain a company’s liquidity. Planning access to liquidity is a basic part of emerging risk management. Asset-selling priorities, credit facilities with banks, and notes programs are possible ways of managing a liquidity crisis.

Apart from liquidity crisis management, other issues exist for which a contingency plan should be identified in advance. The company should be able to quickly estimate and identify total losses and the payments due. It should also have a clear plan for settling the claims in due time so as to avoid reputation issues. Availability of reinsurance is also an important consideration: if a reinsurer were exposed to the same risks, it would be a sound practice for the primary insurer to evaluate the risk that the reinsurer might delay payments.

Advance Warning Process

For the risks that have identified as most significant and where the insurer has developed coherent contingency plans, the next step is to create and install an advanced warning process. To do that, the insurer identifies key risk indicators that provide an indication of increasing likelihood of a particular emerging risk.

Learn

Finally, sound practices for managing emerging risks include establishing procedures for learning from past events. The company will identify problems that appeared during the last extreme event and identify improvements to be added to the risk controls. In addition, expect to get better at each step of the emerging risk process with time and experience.

But emerging risk management costs money. And the costs that are most difficult to defend are the emerging risks that never emerge. A good emerging risk process will have many more misses than hits. Real emerged risks are rare. A company that is really taking emerging risks seriously will be taking actions on occasion that cost money to perform and possibly include a reduction in the risks accepted and the attendant profits. Management needs to have a tolerance for these costs. But not too much tolerance.

Like this:

Severe and intense threats are usually associated with dramatic weather events, terrorist attacks, earthquakes, nuclear accidents and such like. When one of these types of threats is thought to be immanent, people will often cooperate with a cooperative ERM scheme, if one is offered. But when the threat actually happens, there are four possible responses: cooperation with disaster plan, becoming immobilized and ignoring the disaster, panic and anti-social advantage taking. Disaster planning sometimes goes no further than developing a path for people with the first response. A full disaster plan would need to take into account all four reactions. Plans would be made to deal with the labile and panicked people and to prevent the damage from the anti-social. In businesses, a business continuity or disaster plan would fall into this category of activity.

When businesses do a first assessment, risks are often displayed in four quadrants: Low Likelihood/Low Severity; Low Likelihood/High Severity; High Likelihood/Low Severity; and High Likelihood/High Severity. It is extremely difficult to survive if your risks are High Likelihood/High Severity, so few businesses find that they have risks in that quadrant. So businesses usually only have risks in this category that are Low Likelihood.

Highly Cooperative mode of Risk Management means that everyone is involved in risk management because you need everyone to be looking out for the threats. This falls apart quickly if your threats are not Severe and Intense because people will question the need for so much vigilance.

Highly Complex threats usually come from the breakdown of a complex system of some sort that you are counting upon. For an insurer, this usually means that events that they thought had low interdependency end up with a high correlation. Or else a new source of large losses emerges from an existing area of coverage. Other complex threats that threaten the life insurance industry include the interplay of financial markets and competing products, such as happened in the 1980’s when money market funds threatened to suck all of the money out of insurers, or in the 1990’s the variable products that decimated the more traditional guaranteed minimum return products.

In addition, financial firms all create their own complex threat situations because they tend to be exposed to a number of different risks. Keeping track of the magnitude of several different risk types and their interplay is itself a complex task. Without very complex risk evaluation tools and the help of trained professionals, financial firms would be flying blind. But these risk evaluation tools themselves create a complex threat.

Highly Organized mode of Risk Management means that there are many very different specialized roles within the risk management process. May have different teams doing risk assessment, risk mitigation and assurance, for each separate threat. This can only make sense when the rewards for taking these risks is large because this mode of risk management is very expensive.

Highly Unpredictable Threats are common during times of transition when a system is reorganizing itself. “Uncertain” has been the word most often used in the past several years to describe the current environment. We just are not sure what will be hitting us next. Neither the type of threat, the timing, frequency or severity is known in advance of these unpredictable threats.

Businesses operating in less developed economies will usually see this as their situation. Governments change, regulations change, the economy dips and weaves, access to resources changes abruptly, wars and terrorism are real threats.

Highly Adaptable mode of Risk Management means that you are ready to shift among the other three modes at any time and operate in a different mode for each threat. The highly adaptable mode of risk management also allows for quick decisions to abandon the activity that creates the threat at any time. But taking up new activities with other unique threats is less of a problem under this mode. Firms operating under the highly adaptive mode usually make sure that their activities do not all lead to a single threat and that they are highly diversified.

Benign Threats are things that will never do more than partially reduce earnings. Small stuff. Not good news, but not bad enough to lose any sleep over.

Low Cooperation mode of Risk Management means that individuals within their firm can be separately authorized to undertake activities that expand the threats to the firm. The individuals will all operate under some rules that put boundaries around their freedom, but most often these firms police these rules after the action, rather than with a process that prevents infractions. At the extreme of low cooperation mode of risk management, enforcement will be very weak.

For example, many banks have been trying to get by with a low cooperation mode of ERM. Risk Management is usually separate and adversarial. The idea is to allow the risk takers the maximum degree of freedom. After all, they make the profits of the bank. The idea of VaR is purely to monitor earnings fluctuations. The risk management systems of banks had not even been looking for any possible Severe and Intense Threats. As their risk shifted from a simple “Credit” or “Market” to very complex instruments that had elements of both with highly intricate structures there was not enough movement to the highly organized mode of risk management within many banks. Without the highly organized risk management, the banks were unable to see the shift of those structures from highly complex threats to severe and intense threats. (Or the risk staff saw the problem, but were not empowered to force action.) The low cooperation mode of risk management was not able to handle those threats and the banks suffered large losses or simply collapsed.